Remember the Hollywood Presbyterian Hospital? Early last year, a group of criminals encrypted the healthcare provider’s critical systems, forcing the organization to shut down until it produced a five-figure ransom. It was the beginning of what was arguably the worst year in the history of cybersecurity, heralding a constant drumbeat of breaches.
Well, never say that the moral arc of the universe doesn’t bend towards justice. Late in 2016, a joint task force including law enforcement agencies from 40 countries just went and shut those criminals down. The Avalanche Crime Syndicate, as it was known, is now a thing of the past. Its operations are shuttered and its servers are shut down—but how did it rise to prominence in the first place?
Here’s a good look at the rise of a criminal organization in the digital era—and what it took to shut them down.
The Avalanche Crime Syndicate Combined Scale with Sophistication
The Avalanche Crime Syndicate has been around since well before the widespread adoption of malware. Starting around 2009, the syndicate first began to assemble a massive botnet. It also went on to generate phishing attacks—a lot of them. From 2009, Avalanche was responsible for two-thirds of phishing attacks that ever took place. Eventually, Avalanche moved into ransomware. The organization also ran a cloud-services model on the side, allowing other criminal enterprises to rent its resources and expertise.
Along the way, Avalanche developed sophisticated tools that allowed them to evade detection. One of these was an iteration on a tool known as a Domain Generation Algorithm (DGA). Essentially, criminals who rely on a single domain to host their C2 servers will be inevitably stopped—administrators will find it easy to identify a single malicious IP address and blacklist it.
DGA therefore relies on the generation of a great many domain names. Hackers switch between these multiple domains at will, and their associated malware uses a random-number generator to decide which of these domains to connect to. The Avalanche Crime Syndicate perfected this behavior with a technique known as Double Fast Flux, which shifted both the criminals’ TLD name server and DNS every five minutes.
Catching Avalanche Required Massive Cooperation
How can law enforcement track down an adversary that can hide so easily? The exact technique that law enforcement officers used to take down Avalanche is secret—they don’t want other criminal organizations catching on and hiding their tracks—but the chief ingredient appears to be time. The eventual takedown of Avalanche began in 2012, when German police forces first noticed an emerging wave of ransomware.
Once all was said and done, five individuals—representing at least one member of the syndicate’s leadership cadre—were arrested. Over two hundred C2 servers were taken offline, and a staggering 800,000 domains are now shuttered. However, the work may still not be over.
As we’ve seen in incidents where major hacking organizations are shut down, their successor organizations quickly pop up. For example, although a major botnet market recently went offline, people are selling botnet services faster than ever, although this may be fueled by the availability of the Mirai source code.
Similarly, any partners or subordinates of the Avalanche network who remain free are probably motivated to build their own successor services in a hurry. While these services may lack the scale and sophistication of Avalanche, there may be enough of them that the internet won’t see any slackening in the rate of DDoS attacks and attempted hacks. Let’s just hope that it doesn’t take another four years to smoke them out.
In the meantime, it’s important to note that a computer running SentinelOne would still detect and mitigate malware that employed the double-flux technique. Any kind of unauthorized internet connection runs up a giant red flag in our platform’s behavioral detection component. Therefore, even the advanced malware run by Avalanche or its successors would find itself throttled. For more information, check out our white paper, “Looking Beyond AV,” and learn how SentinelOne uses overlapping components to detect and mitigate malware regardless of its sophistication.